好的,用户让我总结一下这篇文章的内容,控制在100字以内,并且不需要特定的开头。首先,我需要通读文章,理解主要信息。 文章介绍了一个名为PMG的开源工具,它位于开发者和包管理器之间,在安装前拦截恶意包。PMG解决了传统扫描器在安装后或CI/CD中运行的问题,那时恶意代码可能已经执行了。PMG检查实时威胁情报,拦截恶意包、拼写劫持和供应链风险,同时让干净的包正常安装。 接下来,我需要将这些要点浓缩到100字以内。重点包括PMG的功能、解决的问题以及它的优势。最后,确保语言简洁明了,直接描述内容。 </think> PMG是一款开源工具,在安装前拦截并阻止恶意软件包,支持npm、pip等多种包管理器,通过实时威胁情报检测恶意软件、拼写劫持和供应链风险。 2026-3-19 15:7:36 Author: www.reddit.com(查看原文) 阅读量:6 收藏
We've been working on PMG (Package Manager Guard) - an open-source tool that sits between you and your package manager to block malicious packages before installation.
The problem we're solving:
Traditional scanners run after npm install or in CI/CD. By then, postinstall hooks have already executed.
PMG checks packages against real-time threat intelligence before they download.
What it does:
- Intercepts package manager commands (npm, pip, yarn, pnpm, bun, uv, poetry)
- Checks against threat intel before installation
- Blocks known malicious packages, typosquats, and supply chain risks
- Clean packages proceed normally with zero friction
Looking for feedback on this and needed more real-world testing from professionals and developers.
Open to contributions and drop a ⭐if found useful.
如有侵权请联系:admin#unsafe.sh